[VIM] Missed PHP file include in recent Calendarix

Steven M. Christey coley at mitre.org
Mon Jun 6 23:51:35 EDT 2005


  BUGTRAQ:20050531 multiple vulnerability Calendarix Advanced

Multiple VDBs seem to have missed the following portion of the post:


        line 16

I downloaded the demo version of Calendarix, and there are only 2
previous PHP statements before this line - both include statements,
neither of which seems to define $calpath, which is defined in
cal_config.php.  cal_admintop.php itself is included a number of times
in other files.

Thus it appears to be a typical file include issue where an include
file depends on variables defined by previously included files, but is
directly callable assuming the relevant PHP configuration
etc. etc. etc.

Also, at least two of the SQL injection issues in the "catview"
parameter seem to lead to the same eventqry function as defined in

cal_day.php line 112:

  $result = eventqry($vda,$vdm,$year,$uname,$order,true,$catview) ;

cal_week.php line 193:

	$result = eventqry($fdd,$fdm,$fdy,$uname,$order,true,$catview) ;

cal_cat.php lines 34 through 39 have their own vulnerable select
calls, though:

  if (($ALLOWVIEW[6]==1)&&($catview!=0)) 
	$query = "select cat_id,cat_name,cat_color,parent_id from ".$CAT_TB." where cat_id=$catview";

  if ($ALLOWVIEW[11]==1)
	$query = "select cat_id,cat_name,cat_color,parent_id from ".$CAT_TB." where cat_id=$catview or parent_id=$catview";

This was based solely on source code inspection of the demo version of
Calendarix Advanced.

I'll be sending an inquiry to the developer shortly.

- Steve

More information about the VIM mailing list